About ransomware and malware

I have some questions regarding malwares.
How are these made? Are these normal win32 exes.
And does the recent wanna cry Ransom ware affects Linux. And what are your suggestions on how protect from ransom ware as handmade devs.
They are normal executables with the same file accesses as any other. The tricky part is getting them executed.

best protection against ransomware is to have backups to restore from.

anything more like segregating the protections between applications will just end up annoying you when you try and do anything.
Additionally to backups (which should be your last resort) do following:

1) always install latest updates on your OS and software
2) don't open strange executables from internet
3) don't open random attachments in e-mails - even if they are just images or word documents
4) preferably work on isolated machine without access to internet, or do isolation of software that needs access to network, for example - virtual machine when possible, or some kind of containers (like docker/systemd-nspawn/chroot on Linux)

Malware is typically made in one of two ways - or both at the same time. One is just to do social engineering, and just send executables or scripts in word document (or similar) from addresses you might thing are legit - like your bank, or friends/colleges. And expect you to open it. Once you do it, then it can start infecting all the files you have access to.
Second option is to exploit some bugs in OS or software you run it. By doing it, the malware can automatically launch without any action from you. Just by opening email (without launching any attachment) you can get infected. It can be used to launch executable code from email you are viewing, or to spread automatically and faster to different machines your machine can connect to.

Edited by Mārtiņš Možeiko on
Hi,

I'm a professional malware analyst, so the domain of this question is what I literally do 8-10 hrs a day.

As the folks above said, malware = malicious software. This means that it is software like any other kind with the exception of it often needing to hide from antivirus, antimalware, the user, and even analysts like me in order to best accomplish its mission. Why? Well, if it is detected, definitions are written and the threat diminishes greatly.

Martins offered great advice for protecting yourself from malware. Even in the most severe cases with the so-called most advanced/ "sophisticated" malware like Stuxnet (malware said to halt Iran's nuclear program by a couple years) or NSO Pegasus (malware which took over iPhones with a rootkit silently allowing the attacker to access camera, GPS, etc...), there is usually some silly user mistake which unleashes the payload. In the case of Stuxnet, the malware attempted to login to Siemens-brand Programmable Logic Controller management software with the default password of "1234" or "password." In the case of the Iranian nuclear research facility, they had left this as the default password, probably because they forgot that the computer was in fact connected to the network or just were not thinking. This allowed Stuxnet to control and destroy centrifuges in the facility.

NSO Pegasus also required the victim to click a link for it to activate and take over the phone. Just one link, but it still required a user mistake. This is most common in malware but it is not always the case for individuals. For example Wanacry did require someone to initially open the malware on a network, but once that person did, the malware would spread to every out-of-date computer on the network and infect it without those users doing a single thing.

"Advanced" malware does this by exploiting what's called zero-day vulnerabilities. WanaCry actually did not exploit a zero day, but first let's talk about what a zero day even is.

All a zero day is is a software exploit that nobody knows about except for the finder of the exploit. So, say you open up some program that is used to track retail stock at a retail store and in the login screen, for the username, you enter 5,000 characters, and for the password, you enter 2,000 characters. The program crashes. There are tools that help with this, but you can fool with the program, open it in a debugger, and find a vulnerability like a memory leak, buffer overflow, etc... Say you are able to bypass the entire login screen by entering characters like this and gain access to sensitive information, or cause the program to do other unexpected behavior. If you didn't report this to the developer, this would essentially be a "zero-day exploit."

Now, you create a piece of malware and you program it to perform this exploit, access the system, and once in there, do damage. This is how malware is made.

Other very common characteristics of malware is something called hooking, process replacement, and process injection. Without going into crazy amounts of detail, imagine instead of creating a program that does bad things, you instead create a library file or DLL. Instead of launching the malicious code directly, you trick Mozilla Firefox into accessing and running the code, thinking that it's running a legitimate system DLL. Or, you wait until Mozilla Firefox is loaded in memory, and your program overwrites and replaces some of the data in memory with malicious code.

The above techniques offer several benefits for malware:

  1. The non-technical victim can hit Ctrl+Shift+Escape or Ctrl+Alt+Del amd they won't find a single suspicious process. They may see Firefox, but that's a name they know and trust. Little do they know that the malware is embedded in Firefox's memory space!
  2. It could be for example inside lsass.exe and when you Google that, it appears like a legitimate Microsoft system file
  3. Even anti-malware which scans the memory and processes for viruses may miss malware which is loaded into an otherwise legit process.

However, there are some tried-and-true ways to detect even the most advanced malware. If you go to Microsoft and download the Sysinternals tools, particularly Process Explorer and ProcMon, and you learn them like the back of your hand, you can detect most of this stuff. This is because ProcMon will show you the behavior of every single thing going on on the computer, and in Process Explorer, you can set what's called highlight duration to several seconds, so when you launch a bad malware or suspicious file and it tries to hide itself within 20 milliseconds, it will still show and you will be onto it.

There are many, many other aspects to malware and malware research. The tools that I just explained to you are called "dynamic analysis" tools because they observe the behavior of the malware once it is running. There is also static analysis, where you examine the file's data, strings, function imports, API calls, and more before you ever run it. In fact, you can use a disassembler to view the x86 assembly code of the malware and learn A LOT. This is what I do on a regular basis at my job. If you ever want to know more, feel free to contact me.

Linux and Mac malware exist, but aren't currently as prevalent as Windows malware. However, Mac malware is definitely becoming a bigger thing these days. If you're a Linux guy, check out Remnux, it's got everything you need to analyze malware to your hearts content. If you ever want to do so, run an UPDATED virtual machine and make sure it's de-networked from any computers you care about.

Edited by Todd on
Thanks todd for the info.
I just want to learn these so I can protect my software these malware and make my software less exploitable.
The kind of malware that infects system through your your app - you protect against that by making sure there are no bugs in your code. Like reading unintialized variables, buffer overflows and similar. Also no logic bugs.
There are bunch of tools that can help you here. If you compile&run your app on Linux/OSX, then there is great support from clang - address&memory sanitizers. There's also Valgrind.
On Windows there is DrMemory that does some of that. And there is bunch of commercial tools.
If you are processing some data as input (like network packets, file formats, save files, etc) then you can do fuzzing. This is a way how to generate a lot of random data in intelligent way that will test your system to handle various valid/invalid inputs. Good free tools for this is afl (american fuzzy loop), and libFuzzer from clang.

If you want to be really pedantic, there are coding standards that minimize risk for various security bugs. It's a lot of overhead, but some of the rules are really reasonable.
http://web.archive.org/web/201107...arch.att.com/~bs/JSF-AV-rules.pdf
http://caxapa.ru/thumbs/468328/misra-c-2004.pdf
http://frey.notk.org/books/MISRA-Cpp-2008.pdf
https://www.cert.org/secure-codin...cure-coding-cpp-download-2016.cfm
https://www.securecoding.cert.org...play/c/SEI+CERT+C+Coding+Standard
https://www.securecoding.cert.org.../pages/viewpage.action?pageId=637
https://google.github.io/styleguide/cppguide.html

The kind of malware that infects system through other apps, and just infects your app because it is on system - you cannot protect against that in your app at all.

WannaCry only affects Linux in a sense that if you had some share from Linux attached to Windows machine that got infected. By itself it cannot run on Linux, but it can encrypt files that are on Linux accessible from infected Windows machine. Well if you start running windows apps through wine, then potentially you could run this malware on Linux :)

You protect against ransomware by updating your systems with latest patches. Ideally by keeping your system offline - never connect it to network. If you must, make sure you have firewall running (or enabled on router, don't turn on DMZ). Disable upnp on router. Don't have a lot of ports forwarded to your PC. Ideally just keep one - vpn or ssh trough which you tunnel into your lan. Firewall/router is more important than having anti-virus. I actually have not been using anti-virus (except Defender stuff that is built-in Windows) for like 15 or so years. And never got infected. Just have firewall/router, adblocker and common sense. Also have a good backup system. That means currently running malware should not be able to corrupt previously backed up data - so connected external hdd is not a good backup for this use case. It should be append-only storage. Something like uploading latest blob of data to cloud server without touching previously uploaded data would be ok approach. Then at any time if you detect something is corrupted/infected, you simple take latest good backup and restore from it.

Edited by Mārtiņš Možeiko on
I also write software using CLR . So any specific tools for CLR or is it possible to use same tools but I doubt that. Anyways thanks for the info.
For .NET this is much easier, because it doesn't have buffer overflow or similar vulnerabilities as native code. So very large class vulnerabilities doesn't apply to .NET (or similar environments like JavaScript, Python or Java). VM create environment where this is automatically checked and enforced. That said, if you use any native code libraries or unsafe code in C# and manipulate pointers manually, you could still introduce exploitable bug. So try to avoid that as much as possible.
IMO, if you want to protect your native programs from attack and also learn more about this stuff, a good option you can do (aside from what Martins mentioned; fuzzing and Valgrind/Dr. Memory is also a great idea) is to try and attack them yourself. This is not a 100% effective method... A better way would be to hire professional hackers to do this, but you can do quite a bit and you may enjoy it as well. I know some guys who are some of the best in the business and this is the software they use:

https://github.com/zardus/ctf-tools

https://github.com/longld/peda


Edited by Todd on